GP not applying to new users/pc's ...

  • Thread starter Rosello M. Bagundol
  • Start date
R

Rosello M. Bagundol

I have a GP set on a group of users. I'm using Windows 2000 AS. Recently, I
have joined a new computer to the domain but the policy settings are not
propagating to that pc when I used an existing user account (to which the
user account the GP is applied). Any ideas why is this happening?
 
L

lforbes

Rosello M. Bagundol said:
I have a GP set on a group of users. I'm using Windows 2000
AS. Recently, I
have joined a new computer to the domain but the policy
settings are not
propagating to that pc when I used an existing user account
(to which the
user account the GP is applied). Any ideas why is this
happening?
Click to expand...

Hi,

More than likely this is a DNS issue. Make sure your DNS is setup
correctly and the new computer account is registered in your Windows
2000 DNS server. http://www.sd61.bc.ca/windows2000/dns.htm

Cheers,

Lara
 
B

Bruce Sanderson

To add to what lforbes has said, I've found some Windows XP computers get
Application Event Log entries with Source = UserEnv 1053 ("Windows cannot
determine the computer name. (An internal error occurrred.) Group Policy
processing aborted.") or Userint 1000 (Could not execute the following
script [logon script name]. The system cannot find the file specified".).
You might also see System Event Log entries with Source = LsaSrv 40961 ("The
Security System could not establish a secured connection with the server
cifs/DomainControllerName.DomainName. No authentication protocol was
available.").

In some cases, what appears to be happening is that the NetLogon service is
starting and attempting to communicate with the Domain Controller before the
DNS Client service has been able to communicate with a DNS server; this
causes the attempt to resolve the domain name via DNS to fail and thus other
startup processing doesn't get done. Making the NetLogon service dependent
on the Dnscache service appears to fix this issue, at least in some cases

To make the NetLogon service dependent on the Dnscache service:
1. open regedit
2. navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon
3. double click on DependOnService in the right pane
4. click on the end of the line that reads "LanmanWorkstation" (to remove
the highlighting/selection)
5. press Enter to get a new line
6. key Dnscache
7. click OK
8. restart the computer

See if this fixes this problem.

One way to automate this change is using the sc command:

sc config netlogon depend= LanmanWorkstation/Dnscache

(Note the space between the "=" sign and "LanmanWorkstation".)
 
K

Ken B

Hey Bruce-

I tried doing what you suggested (in addition to adding a policy to always
wait for the network before logon), to no avail. I still have 2 new
computers that aren't receiving the machine policy correctly (particularly
the software deployment policy). Do you have any other suggestions?

Tks

Ken


Bruce Sanderson said:
To add to what lforbes has said, I've found some Windows XP computers get
Application Event Log entries with Source = UserEnv 1053 ("Windows cannot
determine the computer name. (An internal error occurrred.) Group Policy
processing aborted.") or Userint 1000 (Could not execute the following
script [logon script name]. The system cannot find the file specified".).
You might also see System Event Log entries with Source = LsaSrv 40961
("The Security System could not establish a secured connection with the
server cifs/DomainControllerName.DomainName. No authentication protocol
was available.").

In some cases, what appears to be happening is that the NetLogon service
is starting and attempting to communicate with the Domain Controller
before the DNS Client service has been able to communicate with a DNS
server; this causes the attempt to resolve the domain name via DNS to fail
and thus other startup processing doesn't get done. Making the NetLogon
service dependent on the Dnscache service appears to fix this issue, at
least in some cases

To make the NetLogon service dependent on the Dnscache service:
1. open regedit
2. navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon
3. double click on DependOnService in the right pane
4. click on the end of the line that reads "LanmanWorkstation" (to remove
the highlighting/selection)
5. press Enter to get a new line
6. key Dnscache
7. click OK
8. restart the computer

See if this fixes this problem.

One way to automate this change is using the sc command:

sc config netlogon depend= LanmanWorkstation/Dnscache

(Note the space between the "=" sign and "LanmanWorkstation".)

--
Bruce Sanderson MVP

It's perfectly useless to know the right answer to the wrong question.


Rosello M. Bagundol said:
I have a GP set on a group of users. I'm using Windows 2000 AS. Recently,
I
have joined a new computer to the domain but the policy settings are not
propagating to that pc when I used an existing user account (to which the
user account the GP is applied). Any ideas why is this happening?
Click to expand...
Click to expand...
 
B

Bruce Sanderson

Perhaps you have already done some of these steps, but here's how I would
investigate this problem:

1. verify that you have the correct computer name and that the computer
account for that computer is in the OU that has the GPO(s) linked (or
inherited) to it
a. logon at the problem computer with a Domain User's account
b. open a Command Prompt
c. key set computername; make a note of the name displayed
d. key set logonserver - this should be the name of one of the domain
controllers
e. in Active Directory Users and Computers, find out what OU that
computer account is in
i .right click on the top OU
ii. select Find
iii. from the Find: drop down list, select Computers, key the name
from step c in the Computer name: text box; click Find Now
iv. select View, Choose Columns
v. if Published At is not in the right pane, select it from the left
pane and click Add; click OK
vi. make a note of which OU the computer name is "Published At"
f. using GPMC, ensure that the GPOs with the missing settings are linked
or inherited into the OU determined from e. vi.

2. use the Group Policy Results tool in the Group Policy Management Console
(bottom item in the tree in the left pane) to get a report of what's going
on with those two computers.

3. logon to one of the problem computers as an administrator and use the
gpresult /v command to see what settings in what GPOs are being applied.

4. look for any Warning or Error entries in the System and Application Event
Logs that are related to domain connectivity, Group Policy processing,
w32tm, Userenv or userint.

5. verify that any settings you are applying can be applied to whatever OS
is running on the problem computers. Some GP settings are only available on
Windows XP or Windows 2003 server.

--
Bruce Sanderson MVP

It's perfectly useless to know the right answer to the wrong question.


Ken B said:
Hey Bruce-

I tried doing what you suggested (in addition to adding a policy to always
wait for the network before logon), to no avail. I still have 2 new
computers that aren't receiving the machine policy correctly (particularly
the software deployment policy). Do you have any other suggestions?

Tks

Ken


Bruce Sanderson said:
To add to what lforbes has said, I've found some Windows XP computers get
Application Event Log entries with Source = UserEnv 1053 ("Windows cannot
determine the computer name. (An internal error occurrred.) Group Policy
processing aborted.") or Userint 1000 (Could not execute the following
script [logon script name]. The system cannot find the file specified".).
You might also see System Event Log entries with Source = LsaSrv 40961
("The Security System could not establish a secured connection with the
server cifs/DomainControllerName.DomainName. No authentication protocol
was available.").

In some cases, what appears to be happening is that the NetLogon service
is starting and attempting to communicate with the Domain Controller
before the DNS Client service has been able to communicate with a DNS
server; this causes the attempt to resolve the domain name via DNS to
fail and thus other startup processing doesn't get done. Making the
NetLogon service dependent on the Dnscache service appears to fix this
issue, at least in some cases

To make the NetLogon service dependent on the Dnscache service:
1. open regedit
2. navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon
3. double click on DependOnService in the right pane
4. click on the end of the line that reads "LanmanWorkstation" (to remove
the highlighting/selection)
5. press Enter to get a new line
6. key Dnscache
7. click OK
8. restart the computer

See if this fixes this problem.

One way to automate this change is using the sc command:

sc config netlogon depend= LanmanWorkstation/Dnscache

(Note the space between the "=" sign and "LanmanWorkstation".)

--
Bruce Sanderson MVP

It's perfectly useless to know the right answer to the wrong question.


Rosello M. Bagundol said:
I have a GP set on a group of users. I'm using Windows 2000 AS.
Recently, I
have joined a new computer to the domain but the policy settings are not
propagating to that pc when I used an existing user account (to which
the
user account the GP is applied). Any ideas why is this happening?
Click to expand...
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

GP not applying to user 1
GP not applying when logging in to a workstation 4
Help applying GP to OU 3
GP and remote site without DC. Client not applying settings properly 1
IE GP Settings 1
Trouble Applying GP 5
GP not affecting Workstation 1
how to edit GP 1

Top